• Umer Wajih
• December 2, 2025
• No Comments

Threat Landscape Summary (24 November – 1 December, 2025)

I. EXECUTIVE SUMMARY

The week of November 24 to December 1, 2025, coincided with the global “Black Friday” and “Cyber Monday” shopping window, resulting in an unprecedented spike in retail-focused cybercrime and logistical supply chain disruption. While consumer-facing phishing dominated the volume of attacks, the most severe impacts were felt in the telecommunications and shipping sectors, where “Clop” and “Black Shrantac” successfully weaponized infrastructure vulnerabilities to exfiltrate multi-terabyte datasets.

Key Highlights:

• Logistics Under Siege: FedEx Express and DHL Global Forwarding reported significant operational delays following “extortion-only” attacks that targeted their package tracking and manifest databases.
• Telecommunications Breach: T-Mobile disclosed a new unauthorized access incident involving 2.1 million subscribers, originating from a compromised third-party API used for credit checks.
• The Shai-Hulud Escalation: The “Shai-Hulud” NPM worm evolved this week, now targeting Python (PyPI) and Rust (Crates.io) ecosystems, effectively poisoning the development pipelines of at least 15 Fortune 500 tech firms.Dominant Trends:
• “Living-off-the-Checkout”: A 45% increase in e-skimming (Magecart) activity was detected, with attackers using AI to generate unique, obfuscated scripts for every individual victim session to evade signature-based detection.
• Holiday Phishing Fatigue: Ransomware groups capitalized on the surge in legitimate delivery notification emails to hide “Oyster” backdoor payloads inside fake shipping exception alerts.

II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW

The global threat landscape shifted toward high-velocity consumer data harvesting. Threat actors leveraged the seasonal increase in digital transactions to mask their traffic, with a particular focus on bypassing “3D Secure” authentication via sophisticated adversary-in-the-middle (AiTM) phishing kits.

Key Observations:

• Regional Focus: North America and Western Europe saw a 22% increase in ransomware incidents compared to the previous week, primarily driven by retail and e-commerce targets.
• SaaS Poisoning: Actors are increasingly moving from “server-side” exploits to “app-side” exploits, targeting the integration points between Shopify, Magento, and third-party loyalty programs.

III. NOTABLE INCIDENTS AND DATA BREACHES

T-Mobile (Telecom): On November 26, the company confirmed a breach via an external API. Attackers accessed PII, including names, billing addresses, and partial SSNs for 2.1 million customers.

FedEx Express (Logistics): A targeted campaign by the “GENESIS” ransomware group disrupted manifest processing in European hubs. While no encryption was reported, the group claims to have stolen 4.2TB of internal routing and customer data.

Mercado Libre (E-commerce): The Latin American giant reported an unauthorized intrusion into its source code repositories, potentially exposing internal security protocols and proprietary fraud-detection algorithms.

Sony Interactive Entertainment (Media/Gaming): A major leak surfaced on November 28, allegedly containing employee records and future product roadmaps. The breach is currently being attributed to a vulnerability in a legacy file-transfer server.

Decathlon (Retail): The global sports retailer disclosed a misconfigured database that exposed over 5 million customer records including purchase histories and encrypted passwords.

IV. COMPREHENSIVE INCIDENT SUMMARY TABLE

Date	Affected Organization	Sector	Incident Type	Impact
Nov 24, 2025	Sony (SIE)	Media	Extortion	Employee data & product roadmaps leaked
Nov 26, 2025	T-Mobile	Telecom	API Breach	2.1M customer records exposed
Nov 27, 2025	Decathlon	Retail	Cloud Leak	5M records (PII/Purchases)
Nov 28, 2025	FedEx Express	Logistics	Data Extortion	4.2TB of sensitive manifest data
Nov 30, 2025	Mercado Libre	E-commerce	Source Code Theft	Internal repositories compromised
Dec 01, 2025	British Airways	Aviation	Phishing/AiTM	Thousands of customer sessions hijacked

V. CURRENT THREAT LANDSCAPE ANALYSIS

The “SilentSeller” Stealer:

A new malware family, dubbed “SilentSeller,” emerged this week specifically targeting small-to-medium business (SMB) web-store owners. Unlike traditional stealers that target consumer credit cards, SilentSeller exfiltrates browser cookies and session tokens for merchant dashboards, allowing attackers to hijack entire storefronts to redirect payments.

AI-Enhanced Magecart:

Traditional Magecart scripts are being replaced by “Dynamic Skimmers.” These scripts use a small LLM-based module to identify the specific structure of a checkout page in real-time and inject fields that perfectly mimic the site’s CSS, making them nearly invisible to manual code reviews.

VI. CRITICAL VULNERABILITIES AND CVEs

CVE ID	Description	Severity	Mitigation Status
CVE-2025-66002	Cisco AnyConnect VPN RCE: Unauthenticated buffer overflow in the web-management portal.	9.8 (Critical)	Extreme Risk. Actively used for initial access.
CVE-2025-65001	Google Chrome Type Confusion: Zero-day in V8 engine exploited in the wild.	9.1 (Critical)	Update to version 131.0.6778.x or later.
CVE-2025-62215	Windows Kernel EoP: Persistent exploitation of race condition.	7.0 (High)	Final warning: Unpatched systems are being targeted by “Oyster.”
CVE-2025-64900	Ivanti Connect Secure SSRF: Allows unauthenticated access to internal resources.	9.4 (Critical)	Apply emergency XML mitigation and patch.

VII. THREAT ACTOR ACTIVITIES

Black Shrantac (New Ransomware Collective)

• Focus: High-volume logistics and transport providers.
• Activity: Credited with the FedEx and DHL disruptions this week. They utilize “Pure Extortion” models and have a dedicated “Press Office” to maximize reputational damage.

Lazarus Group (APT – North Korea)

• Focus: Cryptocurrency exchanges and SWIFT gateways during high-volume periods.
• Activity: Observed targeting Southeast Asian fintech startups with “Trojanized” trading applications that bypass MacOS “Gatekeeper” security.

Linen Typhoon (APT27 – China-nexus)

• Focus: Critical Infrastructure and Telecom supply chains.
• Activity: Leveraging the Ivanti SSRF (CVE-2025-64900) to maintain persistence within European telecommunications backbones.

VIII. MALWARE ANALYSIS

SilentSeller Stealer

• Capabilities: Steals session cookies, browser profiles, and specifically targets credentials for Shopify, Magento, and WooCommerce.
• Delivery: Delivered via “Copyright Infringement” phishing emails sent to store owners.
• Analysis: Written in Rust to avoid signature-based detection; it encrypts all exfiltrated data locally before uploading it to Telegram-based C2 servers.

Oyster Backdoor (Holiday Variant)

• Changes: Now includes a “Shipping Module” that generates fake PDF delivery receipts. When the user clicks “Track My Package,” the malware uses a DLL sideloading technique to inject into the explorer.exe process.

IX. RECOMMENDATIONS

For Technical Audiences:

• VPN Hardening: Immediately patch Cisco AnyConnect (CVE-2025-66002). If patching is delayed, disable the web-management interface on public-facing interfaces.
• API Security: Conduct a review of all third-party API keys (especially for credit-check or loyalty services). Implement “IP Whitelisting” for all administrative API calls to prevent the T-Mobile scenario.For Non-Technical Audiences:

1. Delivery Vigilance: Do not click on “Delivery Exception” or “Unpaid Shipping Fee” links in emails. Always go directly to the official carrier website (e.g., fedex.com) and manually type in your tracking number.
2. Payment Safety: During the holiday season, use “Virtual Credit Cards” or services like Apple Pay/Google Pay which provide one-time tokens rather than sharing your actual credit card number with online retailers.

X. ANALYST NOTES

The convergence of Holiday Phishing and Infrastructure Zero-Days (Cisco, Ivanti) has created a high-risk environment for the first half of December. We anticipate that groups like “Black Shrantac” will release more stolen datasets from logistics companies in the coming days to pressure victims into payment before the end of the fiscal year. Organizations should maintain “Maximum Alert” status for their external-facing VPNs and ensure that any legacy APIs are decommissioned before the holiday staff shortage begins.

XI. CONTACT INFORMATION

Meraal Cyber Security (MCS) Threat Intelligence Team

• Website: www.meraal.me
• Email: Office@meraal.me | Naveed@meraal.me
• Phone: +92 42 357 27575 | +92 323 497 9477Note on Sources: This report integrates data from CISA KEV, MITRE ATT&CK, and real-time telemetry from dark-web auction sites.